AIDE Agony

When it comes to host-based intrusion detection I’m most familiar with
the Tripwire
OpenSource Edition, while shopping around for a HIDS to deploy on a
play box I decided to try AIDE. And got stopped at one of the first
hurdles.

Tripwire has an interactive update mechanism, it runs a scan (based on
your config file) and then prompts you to except, reject or mark changes as
pending - within one operation. Unless I’m missing something, AIDE
takes a generate signatures, user checks the output, generate
signatures approach, which leaves a huge race condition open. Any files
created / edited between the check and second generate steps will slip
through the net.